Why Am I Blacklisted?

The most common reason for being blacklisted is because one or more computers on your network has become infected with a mass-mailing virus and is sending out spam.

Check to see which blacklists you are on and also why you are blacklisted by visiting http://www.mxtoolbox.com/blacklists.aspx and click on the link under the reason column to find out why.

If you can – lock down your firewall to block all outbound traffic on TCP port 25 from all computers except your mail server. Most spammers will try to use this post to send mail, so blocking the port will stop most spam immediately.

Check your computers with a tool such as Malwarebytes http://www.malwarebytes.org and download / install their free software and run a basic scan after updating the software online. Remove anything that it finds.

Once you have located and removed any infections on your computers, re-visit the blacklist sites and request de-listing. Some will do this immediately and others will wait a short while. Some sites will ask you to pay for express de-listing – this is up to you, but do make sure you are infection free before paying as you will quickly get listed again if you have not resolved the problem.

Exchange 2003 and Activesync Configuration and Troubleshooting

So, here is my guide to solving (most) Exchange 2003 and Activesync issues:

Pre-Requisites:

1. Make sure that you have Exchange Server 2003 Service Pack 2 Installed. Whilst Activesync will work with Exchange 2003 Service Pack 1, Service Pack 2 makes it a whole lot easier!

To check if you have it installed, open up Exchange System Manager (Start> Programs> Microsoft Exchange> System Manager). Then expand Servers, Right-Click your server and choose Properties. This will display whether you have SP2 installed or not.

If you do not have SP2 installed you can download it here – http://www.microsoft.com/downloads/details.aspx?FamilyID=535BEF85-3096-45F8-AA43-60F1F58B3C40&displaylang=en

2. Ensure that TCP Port 443 is open (and forwarded) on your firewall to your Exchange server. You don’t need to open up any other ports to get Activesync working, just TCP port 443. You can check this on your Exchange Server at http://www.canyouseeme.org and you should see ‘Success’ if the port is open and forwarded correctly. If it isn’t open and forwarded, check your router and make sure you have the settings configured correctly.

3. Please check the LAN Adapter Binding order to make sure the NIC that Exchange is bound to is at the top of the list (Start> Run> [type] ncpa.cpl [press enter]> Advanced> Advanced Settings> Connections).

4. Open up IIS Manager (Start> Programs> Administrative Tools> Internet Information Services (IIS) Manager), expand ‘Web Sites’ then ‘Default Web Site’ then right-click on the relevant Virtual Directory (see below) and choose properties, then click on the Directory Security Tab):

Exchange 2003 (Not part of Small Business Server):

Exchange Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NETBIOS domain name – e.g., yourcompany* (no more than 15 characters)
• Realm = yourcompany.com
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption NOT ticked (very important)

Microsoft-Server-Activesync Virtual Directory
• Authentication = Basic
• Default Domain = NETBIOS domain name – e.g., yourcompany* (no more than 15 characters)
• Realm = NETBIOS name
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption IS ticked

Public Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NetBIOS domain name – e.g., yourcompany* (no more than 15 characters)
• Realm = yourcompany.com
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption IS ticked (very important)

Exchange 2003 (Part of Small Business Server):

Exchange Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NetBIOS domain name – e.g., yourcompany*
• Realm = yourcompany.com
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption IS ticked (very important)

Microsoft-Server-Activesync Virtual Directory
• Authentication = Basic
• Default Domain = NETBIOS domain name – e.g., yourcompany*
• Realm = NETBIOS name
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption NOT ticked

Exchange-oma Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NETBIOS domain name – e.g., yourcompany*
• Realm = NETBIOS name
• IP Address Restrictions = Restricted to IP Address of Server
• Secure Communications = Both Require SSL and Require 128-Bit Encryption NOT ticked

OMA Virtual Directory
• Authentication = Basic
• Default Domain = NETBIOS domain name – e.g., yourcompany*
• Realm = NETBIOS name
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption NOT ticked

Public Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NetBIOS domain name – e.g., yourcompany* (no more than 15 characters)
• Realm = yourcompany.com
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption IS ticked (very important)

The Domain / Realm parts can be left as “\” for the Domain and Blank (empty) for the Realm.  MS recommend it this way, but I have fixed some servers by adding the Domain / Realm as per the settings above.

* yourcompany can be determined by opening up a command prompt (Start> Run> [type] cmd [press enter]) and then typing ‘SET’ and pressing enter. The variable ‘USERDOMAIN’ is the info you should use for ‘yourcompany’. Most often – this is not required, but I have seen instances where simply adding this info has made Activesync work.

5. ASP.NET should be set to version 1.1 for all virtual directories listed above. If you cannot see the ASP.NET tab, you only have v 1.1 installed so do not worry. If any version other than 1.1 is selected, please change it to v 1.1.4322.

6. Make sure that you have HTTP Keep-Alives enabled. Right-Click on the Default Web Site and choose Properties. On the Web Site tab, in the Connections section, click the Enable HTTP Keep-Alives check box and click OK

7. Check that Ignore Client Certificates is selected under the IISADMPWD virtual directory / Directory Security Tab / Edit Secure Communications Button. This Virtual Directory may not exist if you have not setup the ability to reset passwords via Outlook Web Access (OWA). If it is not there – no worries.

IPV6
Please make sure that IPV6 is NOT installed on your server as this is known to break Activesync. (Start> Run> [type] ncpa.cpl [press enter]) Right-click on your Local Area Network Connection and choose Properties. Look under ‘This Connection Uses The Following Items:’ for Internet Protocol (TCP/IP) v6 – if it exists – uninstall it and reboot.

8. Ensure that the IP for the Default Website is set to All Unassigned and using port 80 (open up IIS manager, Right-Click the Default Website and choose properties, then on the Advanced button).

If your default website is using any port other than port 80, it simply will not work, so if you have changed this to make something else work, either change it back to port 80 or stop trying to use Activesync! Also make sure that you are not using any Host Headers on the Default Website (or any other website that you happen to have running that uses the same Host Header name that you are using on your SSL certificate) because this can/will also break Activesync.

If you make any changes to IIS, you will need to reset IIS settings. Please click on Start, Run and type IISRESET then press enter.

SSL Certificate
Make sure that the name on the SSL certificate you have installed matches the Fully Qualified Domain Name (FQDN) that you are connecting to for ActiveSync – for example, mail.microsoft.com. To check, right-click on the Default Web Site in IIS, choose Properties, click on the Directory Security Tab and then on the View Certificate Button.

If it does not match, either re-issue the certificate if you created it yourself, or re-key the certificate from your SSL certificate provider.

If you have a Small Business Server and don’t want to buy a 3rd Party SSL certificate, just re-run the ‘Connect To The Internet Wizard’, (Start> Server Management> To-Do List> Connect to the Internet).

Click Next. If the Wizard detects a Router – click No to leave the configuration alone.

Make sure ‘Do not change connection type’ is selected and click Next.

Leave the Web Services Configuration Settings as they are and click Next.

Select ‘Create a new Web server certificate’ and enter a ‘Web server name’ e.g., mail.yourdomain.com and click Next.

Select ‘Do not change Internet e-mail configuration’ and click Next.

Click Finish to complete the Wizard

If you have Windows Mobile Phones, Activesync is much easier to get working with a purchased SSL certificate. If you have a self-created SSL certificate and use Windows Mobile Phones, you will have to install the SSL certificate onto each and every Windows Mobile Phone that you want to use with your Exchange 2003 server. If you only have a handful of devices, then it won’t take long to do, but if you have dozens, a £30 1-Year SSL certificate is probably a very good investment. You can purchase a cheap, trusted SSL certificate from http://exchange-certificates.com that will work happily.

Windows Mobile Phone / iPhone Settings:

Email Address: Your Users Email Address
Server: Whatever name you have on your certificate e.g., mail.yourdomain.com (do not add /exchange or /oma or /anything)
Domain: Your internal Domain Name e.g., yourdomain (maximum 15 characters)
Username: Your Username e.g., User123
Password: The CORRECT password!
Description: Whatever you want to call the Account

Testing:

If you have got SP2 installed, check on https://testexchangeconnectivity.com to see if everything is working properly by running the Exchange Activesync check. The site is an official Microsoft site specifically for testing Exchange installations and connectivity.

Please select ‘Specify Manual Server Settings’ (Exchange 2003 does not have native Autodiscover enabled so using the Autodiscover settings will fail).

3rd Party SSL Certificate:

Do NOT check the “Ignore Trust for SSL” check box

Self-Certified SSL Certificate:

Check the “Ignore Trust for SSL” checkbox.

If you are trying to make an iPhone work, then you can also download the free iPhone App ‘Activesync Tester’ and this should identify any problems with your configuration, or download the version for your PC from https://store.accessmylan.com/main/diagnostic-tools

Various Activesync Errors / Solutions:

REMEMBER – If you make any changes to IIS settings, please run IISRESET and re-visit https://testexchangeconnectivity.com and re-run the test.

Activesync Error 0x86000108:

Activesync is unsuccessful and you see the error 0x86000108 on your Windows Mobile Device:
Please read the following MS Article which checks that Authenticated Users has write permissions to the %TEMP% directory (usually c:\windows\temp) – http://support.microsoft.com/kb/950796/en-us

Application Event Log 3005 Errors:

A lot of 3005 errors can be resolved by changing the Default Website Timeout value from 120 (default) to something greater, such as 480 using IIS Manager.
For Small Business Server 2003 Users – please read this MS article – http://support.microsoft.com/kb/937635

Inconsistent Sync:

If you are getting inconsistent Synchronisation from your device to your Exchange 2003 server, please add the following registry key to the server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan
ProactiveScanning REG_DWORD 1

HTTP 401 Error:

If you are getting an HTTP 401 error when testing on https://testexchangeconnectivity.com then you are probably entering an incorrect username or password, or you may have IP Address restrictions setup on your virtual directories (see IIS Settings above under prerequisites).

HTTP 403 Error:

Ensure that Forms Based Authentication is NOT turned on under Exchange Virtual Server under Exchange Protocols (Exchange System Manager, Servers, Protocols, HTTP, Exchange Virtual Server properties, Settings Tab). If it is – please read http://support.microsoft.com/kb/817379 and create an exchange-oma virtual directory following the instructions in the KB article.

I have had Activesync work despite seeing “An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is:

HTTP/1.1 403 Forbidden

” at the end of the test above. To resolve this (if you like things tidy), please open up Exchange System Manager, Global Settings, Mobile Services Properties, Device Security Button, Exceptions Button, then add your account to the exceptions list.

I have also seen the 403 error resolved by running:
eseutil /p
eseutil /d and
isinteg -s servername -fix -test alltests (at least twice)

Check to see if Activesync is enabled globally on your server – http://technet.microsoft.com/en-us/library/bb125073(EXCHG.65).aspx

Also check to see if it is enabled on a user by user basis – http://technet.microsoft.com/en-us/library/aa997489(EXCHG.65).aspx

HTTP 500 Error:

If you still cannot get Activesync to work or keep getting an HTTP 500 error, please follow Method 2 in Microsoft Knowledgebase Article KB883380 and this should resolve the issues. This essentially deletes the Exchange Virtual Directories from the IIS Metabase (which can be corrupted) and rebuilds them. When deleting the Exchange virtual Directories, please also delete the Exchange-OMA virtual directory if it exists. Rebuilding those virtual directories often clears up problems that all the other steps above do not resolve.

If, after following KB 883380, Activesync still does not work and it keeps coming up with HTTP 500 errors, please do the following:

• Disable Forms Based Authentication – Exchange HTTP Protocol (if enabled)
• Remove SSL settings from the Exchange IIS virtual directory
• Run iisreset
• Test Activesync without SSL selected – hopefully this should work or give the OK result
• If okay – right-click on the Exchange Virtual Directory and select all Tasks> Save Configuration to a file. Name the file Exchange and save to the desktop
• Run Regedit (and be extremely careful here as you can kill your server very easily) then right-click on My Computer and select Export. Name the file as ‘EntireRegistry’ and save the backup of the registry to the desktop
• In regedit – locate HKLM \ System \ CurrentControlSet \ Services \ MasSync \ Parameters and delete the ExchangeVDir key from the right-hand pane.
• Close Regedit
• Right-click on the default-website and select New> Virtual Directory fom File. Browse to the desktop and click on the Exchange.xml that you created above, then click on Read file, select Exchange from the ‘Select a configuration to import’ section and click on OK. Select ‘Create a new virtual Directory’ and name the directory ‘exchange-oma’ and click OK.
• Right-click on Exchange-OMA virtual directory you just created and click Browse – you should see OWA open up happily
• Open Regedit and add the ExchangeVDir key back that you recently deleted as a String Value and then change the value to read /exchange-oma
• Close regedit
• Enable SSL and require 128-Bit Encryption on the Exchange Virtual Directory to ensure it is secure once again
• Enable Forms Based Authentication (if you want to use it) on Exchange > Protocols> HTTP
• Make sure that Integrated Authentication is enabled on the Exchange Virtual Directory
• Check that the Exchweb virtual directory does not have SSL enabled
• Run iisreset
• Test Activesync – it should hopefully be working now!

If the above fails, please check you event logs for Event ID 9667 – Source MSExchangeIS. If this event exists, please have a read of MS KB820379

In a recent question on Experts-Exchange.com, I was advised that running the following command against the unmounted database solved an HTTP 500 error, so if you are still having issues, please try running the integrity check (from a command prompt):

Isinteg –s servername –fix –test alltests

Select the dismounted database and let the check run. If you see 0 errors and 0 fixes, then all is well. If not, please re-run the test until you do (as many times as it takes – two usually is ufficient).

If you are still reading this article and are still seeing HTTP 500 errors, then we need to check the settings on the EXCHWEB Virtual Directory in IIS Manager.

Exchweb Virtual Directory
• Authentication = Anonymous
• Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

Exchweb \ Bin Directory
• Authentication = Basic
• Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

Exchweb \ Bin \ Auth Directory
• Authentication = Anonymous
• Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

Exchweb \ Bin \ Auth \ USA Directory
• Authentication = Basic
• Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

REMEMBER – If you make any changes to IIS settings, please run IISRESET and re-visit https://testexchangeconnectivity.com and re-run the test.

Recently added HTTP 500 Error solution for a server I worked on.

Hopefully if you are now at the bottom of my article, your mobile phones should now be synchronising happily. If that is not the case, please review your IIS Settings carefully and start at the top of this article again.

RECENT UPDATE (10/01/12) – A piece of software called [url=”http://fspro.net/hide-folders/”%5DHide Folders 2009[/url] has been found to install a service called “FSPRO Filter Service” and a dll called FSPFltd.sys (in c:\windows\system32\drivers).  This program breaks Activesync.  If you have Activesync part working / part not working, please check your server for this software and if it is there – disable the service, move / delete the .dll file and restart your server.  Once restarted, Activesync should return to normal functionality!

RECENT UPDATE (29/05/12) – Please make sure that the server does not have Microsoft Security Essentials installed as this will break Activesync.  If you find it is installed – please uninstall it.

Recent Update (10/07/13) – DO NOT INSTALL programs such as Disk Keeper on any server running Exchange as it too will break Activesync!

If you are still not working – then you will probably have to call Microsoft to get support from them as something else not covered by this article is causing your problems.

So, in summary, you have reviewed and checked the settings in IIS to ensure that Activesync will work on your Exchange 2003 server, you have made sure that you have Exchange 2003 Service Pack 2 installed and you have run a test to make sure that your server is responding happily and by now, your iPhones and Windows Mobile phones should be happily synchronising.

Having got this far – and hopefully fixing your problems – if you have found this article helpful, please vote for it at the top of the page : )

* * * Please rate this article below if you have found it helpful * * *

Exchange 2010 POP3 Collection Problems

After a recent successful Server Migration from Exchange 2003 to Exchange 2010, I discovered (my phone was ringing off the hook) that there was a problem with users accessing their mailboxes via POP3. I later discovered that this problem only affected users that had been migrated and not users that were setup fresh on the Exchange 2010 server.

Having struggled to ascertain a reason why, I contacted Microsoft and they helped me to troubleshoot the problem.

After much time spent with Microsoft on the phone testing, tweaking, more testing and more tweaking, we were not getting anywhere.

Eventually they got me to download a capture program to monitor the problem and then we did some more testing and I sent them the captured info, which contained the errors in the POP3 collection process.

Anyway, to cut a relatively long and very unexciting story short, they advised me that there was a known problem with migrated users on Exchange 2010 who use POP3 to collect their mail. This problem only affects users who have been migrated (as I had discovered), so if you create a brand new email account and test POP3 mail collection, it will work fine.

The fix for this problem from Microsoft will be released in Exchange 2010 Rollup 2, so if you have not yet installed this Rollup (and it is available) and you are suffering from this particular problem, then please bring your server up-to-date.

At the time of writing this article (Feb 16th 2010), the Rollup has not been released, but it is rumoured to be appearing in late Feb / early March 2010.

As a workaround, I have exported all mail in the affected mailboxes, deleted the entire user account, recreated the account and put the mail back again. The user can then use their favourite email program to pull down the mail as expected.

Rollup 2 for Exchange 2010 has now been released and can be downloaded from:

http://www.microsoft.com/downloads/details.aspx?FamilyID=6d3ae3e0-3982-46d6-9e9c-7d7d63fae565&displaylang=en

Problems sending emails to external domains

If you face problems sending out emails, but only to a handful of domains, please run through the following checks / tests and make sure your environment is setup properly:

  • Check your domain on http://www.dnsstuff.com (subscription required) or http://www.mxtoolbox.com/diagnostic.aspx (free) and see if you have a Reverse DNS pointer setup.  If you do not have one setup – call your Internet Service Provider (ISP) and ask them to set one up to match the Fully Qualified Domain Name (FQDN) that your mail server responds as e.g., mail.yourcompany.com. Also, your mailserver FQDN should also be setup with something like mail.yourcompany.com.  Any FQDN ending in .local or .internal or anything that is not a valid Internet Domain Name is not correct and should be changed otherwise you may experience problems sending out emails to some domains.
  • Check that your IP address is not listed on any Blacklists on http://www.mxtoolbox.com/blacklists.aspx – If you appear on any blacklists, then you may have problems sending mail to some domains who check against blacklists (not everyone does, but a lot do).  Follow the links on the results page to the particular blacklist site to find out the reason why you are listed (you may have an infected computer sending out spam that you are not aware of) and then deal with the issue before requesting removal from those blacklists (if you don’t deal with the problem, such as an infected computer, you will get removed from the blacklist, but will only re-appear again as more spam is sent out).  Once you know what you are facing, you can resolve the problem.

If you are blacklisted – configure your firewall / router to block all traffic on TCP Port 25 Outbound from all IP addresses apart from your Mail Server.  This should reduce the possibility of an infection from getting you blacklisted further and will help prevent getting listed again once you have cleaned up your network.

  • Check your IP reputation on Senderbase http://www.senderbase.org/senderbase_queries/rep_lookup.  You will either be Good, Neutral or Poor.  If your reputation is Poor – then you may have problems sending out mail and are most likely appearing on a blacklist or two somewhere.  If you are Neutral, then you may have had a problem in the recent past and are still recovering your reputation.  If you have a Good reputation, you should have no problems sending out emails.
  • Check to see if you have an SPF (Sender Policy Framework) record setup on http://www.mxtoolbox.com/spf.aspx – If you do not have a record setup, visit http://old.openspf.org/wizard.html, run through the various options carefully and then you should see your SPF record in the final box at the bottom of the screen. Once you have an SPF record, you have to publish this record in your Domains DNS records by adding a TXT record with the SPF record as the data e.g., Type=TXT Record=(output from http://old.openspf.org/wizard.html). An alternative site to the openspf.org site that you can use is http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
  • Check to make sure that the advertised IP Address in DNS for your primary MX record is the same IP address that you are sending mail from. Ideally – they should be the same for optimal mail-flow although if you are using a 3rd party spam filtering service or have inbound mail on one IP Address and outbound mail on another, this is not going to be possible.

If you do send out mail from a different IP address to the advertised MX record IP Address, please check that the Reverse DNS entry for this IP Address is also configured properly and that it resolves correctly to the same IP address (I use http://www.dnsstuff.com to check this – but you will need a subscription!). As an example, if you send mail out via IP 123.123.123.123 and the Reverse DNS entry setup on this IP address by your ISP is mail.yourcompany.com, mail.yourcompany.com should also resolve in DNS back to the same 123.123.123.123 IP Address.

Having checked all of the above and made any corrections to your configuration, your mail should be flowing better. If it is not and your house is now in order, you are not listed on any blacklists and you still have problems sending out mail to one or more domains, then it may be that the external domain may be specifically blocking you, (Hotmail are quite good at doing this for no particularly good reason) you will need to contact them to try to resolve the issue.

How to prevent Spoofed Emails in Exchange 2003

Spammers use all type of techniques to get their rubbish through to you and one technique that they use is called spoofing, whereby they forge the sender address and use your own email address, or someone@yourdomainname.com as the sender address.

There are various ways to combat this and in Exchange 2003, you can do the following:

  • Setup Sender Filtering to stop inbound emails that are supposedly from your own domain name.
  • Setup Tarpitting to slow down spammers who try to determine the email addresses that are sitting on your Exchange server.
  • Setup a Sender Policy Framework (SPF) record for your domain.
  • Setup Sender ID filtering to check SPF records for inbound email and reject ones that fail.
  • Setup Recipient Filtering (won’t solve the spoofing problem, but it is highly recommended to set this up too)

To set these various Anti-Spam techniques up, you should first check that you are using Exchange 2003 Service Pack 2 by opening up Exchange System Manager, expanding Servers, then click onto your server and then right-click on your server and choose properties.

The screen that follows should advise you what Service Pack your Exchange Server is on.  If it does not say Service Pack 2, please visit the following link to download and install it:

http://www.microsoft.com/downloads/details.aspx?FamilyID=535BEF85-3096-45F8-AA43-60F1F58B3C40&displaylang=en

If you are already on Exchange 2003 Service Pack 2, then please review the following articles to setup the various Anti-Spam techniques:

Once you have setup the above, you should be free from spoofed emails claiming to come from anyone@yourdomain.com or from your own email address to yourself!

As an alternative to the above, you could simply install some Anti-Spam software and one product that I have been using recently after being recommended it by a Microsoft Exchange MVP is Vamsoft ORF which is currently priced at $239 per server and has drastically reduced the amount of spam that I have been receiving and now my customers who also have Vamsoft, have also seen a dramatic reduction in their spam levels too.  Their website is www.vamsoft.com.

Exchange 2010 Rollup 2 scheduled release

I have just received word on the Grapevine that Rollup 2 for Exchange 2010 is scheduled for release at the end of this week.

This rollup will fix several problems, including a problem that affects users who have been migrated from a previous Exchange server version that are using POP3 to collect their mail – they simply cannot retrieve their emails!

Vamsoft ORF 4.4 Released

The latest incarnation of Vamsoft ORF has been released:

http://bit.ly/biaXTC

Vamsoft 5.0 will be released in Q2 2010 and 4.4 is only an interim release providing support for Exchange 2010, IIS6 SMTP Service for Windows Server 2008/2008 R2 and a blacklist update for Spamhaus CSS.